Professional Documents
Culture Documents
ABSTRACT only the federated identity providers themselves, but also the third-
Federated identity providers, e.g., Facebook and PayPal, offer a party application providers and advertising partners, to link a user’s
convenient means for authenticating users to third-party applica- account and track her activities across applications.
tions. Unfortunately such cross-site authentications carry privacy In order to tackle the above privacy problem, this paper presents
and tracking risks. For example, federated identity providers can Crypto-Book, an architecture that enables users to log into third-
learn what applications users are accessing; meanwhile, the appli- party applications anonymously or pseudonymously using their ex-
cations can know the users’ identities in reality. isting federated identities. At a high level, Crypto-Book could be
This paper presents Crypto-Book, an anonymizing layer enabling looked as an anonymizing layer between the user’s federated iden-
federated identity authentications while preventing these risks. Crypto- tity providers and third-party applications consuming the identi-
Book uses a set of independently managed servers that employ a ties. This anonymizing layer generates cryptographic pseudonyms
(t, n)-threshold cryptosystem to collectively assign credentials to for users based on their federated identities, thus enabling users to
each federated identity (in the form of either a public/private key- anonymously log into third-party applications with the pseudonyms.
pair or blinded signed messages). With the credentials in hand, Such pseudonyms not only prevent the application providers from
clients can then leverage anonymous authentication techniques such learning the user’s actual identity/profile information, but also blocks
as linkable ring signatures or partially blind signatures to log into the federated identity providers from linking a user’s identity across
third-party applications in an anonymous yet accountable way. different applications. Furthermore, Crypto-Book is capable of
We have implemented a prototype of Crypto-Book and demon- generating cryptographic pseudonyms from a combination of mul-
strated its use with three applications: a Wiki system, an anony- tiple federated identities (e.g., both Facebook and PayPal identities)
mous group communication system, and a whistleblower submis- to remain secure in the event that one of user’s federated identity
sion system. Crypto-Book is practical and has low overhead: in a provider accounts is compromised.
deployment within our research group, Crypto-Book group authen- While there have been many cryptographic schemes for anony-
tication took 1.607s end-to-end, an overhead of 1.2s compared to mous authentication [1–3, 5, 22, 23], these efforts typically assume
traditional non-privacy-preserving federated authentication. that users have public keys that are known or validated through PKI
– an assumption that has proven a major roadblock to widespread
Categories and Subject Descriptors use [40]. On the contrary, Crypto-Book aims at providing a system-
C.2.0 [Computer-Communication Networks]: General | Security atic effort that can incorporate different privacy-preserving crypto-
and protection graphic authentication methods without requiring any conventional
PKI or PGP-style key management.
1. INTRODUCTION Crypto-Book’s architecture contains three logical components:
Federated identity services have gained widespread popularity 1) a given client that represents the user; 2) a group of credential
among users as a simplifying means for managing their online iden- producers that interact with the client to manufacture cryptographic
tities. In particular, federated identity providers (e.g., Facebook and credentials for the client; and 3) credential consumers that vali-
PayPal) employ authentication protocols such as OAuth [20, 21] date these credentials and use them to create application-specific
and OpenID [34] to offer their users the convenience of using single pseudonymous accounts for the client. The credential producers,
identity – and thus a single credential – to log into and access var- each maintained or run individually, verify the user’s claimed iden-
ious third-party applications (e.g., Wiki and StackOverflow). This tity via the federated identity providers, then jointly manufacture
convenience, however, comes at the privacy cost of enabling not privacy-preserving credentials, so that the user does not need to
trust any one (or few) of these credential producers. While creden-
tial production itself uses standard threshold cryptography, a key
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed systems challenge Crypto-Book addresses is ensuring that all of the
for profit or commercial advantage and that copies bear this notice and the full cita- credential producers can securely and independently authenticate
tion on the first page. Copyrights for components of this work owned by others than the user’s federated identity via the unmodified OAuth protocol,
ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-
publish, to post on servers or to redistribute to lists, requires prior specific permission
without demanding that the human user perform multiple tedious
and/or a fee. Request permissions from permissions@acm.org. and seemingly-redundant OAuth logins in succession.
CODASPY’16, March 9–11, 2016, New Orleans, LA, USA. Users’ privacy expectations, in practice, often depend on the
c 2016 ACM. ISBN 978-1-4503-3935-3/16/03. . . $15.00
third-party applications the user is visiting. The Crypto-Book ar-
DOI: http://dx.doi.org/10.1145/2857705.2857736
1
chitecture is therefore designed to support different forms of pri- site the user logs into using her federated identity, and every time
vacy protection through multiple “pluggable” cryptographic cre- that they do so.
dential schemes. As examples of such designs, this paper presents
• Third-party applications can learn the user’s true identity and
and implements two distinct credential schemes within the Crypto-
often many profile details such as friends lists and location.
Book architecture.
• Crypto-Book can use partially blind signatures [1, 9] to create • Third-party applications can link users, and their corresponding
“at-large” anonymous access tokens enabling users to log into profile details, across applications, sharing or selling the infor-
third-party applications, optionally revealing only user-selected mation to advertisers.
information about the user to those applications, while protect- • If one of a user’s federated identity accounts is compromised,
ing the user’s identity from disclosure or linking. For example, the attacker is then able to access third-party applications using
a partially-blind credential could indicate that the user is over 21 this account.
years of age and has had a PayPal account in good standing for
at least a year (detailed in §4). Furthermore, whenever a user visits any page containing fed-
erated identity providers’ “Like" or “Share” buttons, the identity
• Using group credentials built on linkable ring signatures [26,35], providers may again learn that the user visited that page, enabling
Crypto-Book enables users to prove to be one of a set of fed- even more detailed tracking and sale of personal information. Ad-
erated identities (e.g. defined by a list of Facebook identities) ditionally, third-party applications often demand access to profile
without disclosing which member of the set they are, and with- information, contacts lists, and even write access (permission to
out requiring the other listed members to be Crypto-Book post on user’s behalf) and it is sometimes unclear to users what
users or have cryptographic keypairs (detailed in §5). these permissions will be used for, and not obvious after-the-fact
These two pluggable credential schemes are intended only as how they were actually used.
a useful starting point and are not intended to be definitive: they
could be improved in many ways utilizing more advanced crypto- 2.2 Motivating Use-Cases for Crypto-Book
graphic authentication techniques [38]. We now present three motivating use-cases for Crypto-Book. For
Our prototype implements these two credential schemes and sup- each use-case, we have built and evaluated a representative appli-
ports both PayPal and Facebook as federated identity providers. We cation using the Crypto-Book framework.
also prototyped three applications to evaluate Crypto-Book: 1) a Privacy-preserving “Login with Crypto-Book”. Crypto-Book
Wiki system exploring the use-case of supporting anonymous but can be used to provide general, privacy-preserving login function-
accountable editing on sites like Wiki; 2) an accountable anony- ality to third-party applications. An application may choose to in-
mous chatting system, Dissent [41], offering scalable and traffic clude a “Login with Crypto-Book” button which allows users to be
analysis resistant communication service; and 3) a SecureDrop [36] authenticated via Crypto-Book. The difference between Crypto-
like application enabling a whistleblower to convince a journalist Book privacy preserving login and existing federated authentica-
that she is a member of some authoritative group – such as a gov- tion, e.g.“Login with Facebook”, is that Crypto-Book login pre-
ernment official or company employee of a certain rank – without serves the user’s privacy and anonymity, while also protecting the
revealing her precise identity. We have deployed Crypto-Book lo- third-party applications from abuse. The application learns that the
gin for a web site used within our research group and evaluated user has been authenticated by Crypto-Book, and learns a pseudonym
the overall login time, as well as various performance microbench- for the user, but does not know the user’s actual identity, nor can
marks for each stage of the credential pickup and login processes. the application map back from the pseudonym to the user’s iden-
To summary, this paper makes the following contributions: 1) tity. For example, while Wiki allows anonymous editing, such priv-
a practical architecture offering privacy-protected and accountable ileges are often abused for vandalism. We built a system, CB-Wiki,
usage of existing federated identities; 2) multiple pluggable creden- that allows users to edit pages without revealing their identities but
tial schemes supporting different degrees of privacy and anonymity; at the same time allows the Wiki site administrators to sanction site
3) credentials derived from multiple federated identities, increasing abusers. CB-Wiki leverages Crypto-Book to provide anonymous
protection against identity compromise; and 4) comprehensive ex- yet linkable editing in a Wiki system environment.
periments demonstrating the practicality of the system.
Abuse-resistant anonymous communications. Crypto-Book is
additionally useful for authenticating users within anonymous chat
2. BACKGROUND AND MOTIVATION applications. Organizations may wish to allow members to discuss
This section first describes privacy issues of federated identity sensitive issues without revealing their individual identities but at
services (§2.1), and then presents three motivating use-cases for the same time limit access to their discussions to only members
Crypto-Book (§2.2). of the organization in an effort to prevent repressive authorities or
other undesirable outsiders from viewing the communications. The
2.1 Privacy Concerns with Federated Identity Crypto-Book architecture could be used to give such applications a
reason not to block Tor [16], by authenticating users anonymously
Through federated identity based authentication, a user can log
in an abuse resistant manner. This would allow applications to
into third-party applications without having to maintain separate
counter anonymous abuse without compromising anonymity. The
accounts for each of the applications. Well-known federated iden-
Tor Project issued a “call to arms” seeking solutions to this is-
tity providers in practice include Facebook, Google+ and PayPal;
sue1 . We built CB-Dissent on Dissent [12,41], an anonymous group
representative third-party applications supporting federated iden-
communication application. CB-Dissent shows how the integration
tity authentication include Quora and StackOverflow. While fed-
of anonymous authentication with anonymous communication sys-
erated authentication offers great convenience from the perspective
tems can better protect the identities of the users.
of the user, it also introduces or exacerbates several privacy risks,
of which Crypto-Book focuses on the following. 1
https://blog.torproject.org/blog/call-arms-helping-internet-
• The federated identity providers can learn every application or services-accept-anonymous-users
2
tional, disjoint layers – credential producers and credential con-
sumers – between the federated identity providers and the third-
party applications. In particular, credential producers interact with
the federated identity providers to collectively map clients’ fed-
erated identities to privacy-preserving cryptographic credentials.
Clients then submit these credentials to credential consumers, which
create cryptographic pseudonyms/accounts for the clients, allowing
the clients to authenticate with cooperating third-party applications
using these pseudonyms rather than their true federated identities.
3
(e.g., Facebook ID) that the user claimed to have. For multiple fed-
erated identity providers (e.g., Facebook and PayPal), each creden-
tial producer also verifies that the user attributes (i.e., date of birth
and email address) are the same for both the Facebook and Pay-
Pal accounts. In order to obtain a verified PayPal account, a user
needs to connect her real-world bank account or credit card, which
requires showing her real-world identity (e.g., driver license) in per-
son at a bank. This provides a higher barrier to entry and makes
it much more difficult for someone to assume a fake identity.
Step 3. After each producer verifies all identities with their respec-
tive providers, assuming all verify successfully, the producer re-
turns a share of the cryptographic credential to the client. The client
then combines the shares from all contacted producers and stores
the resulting cryptographic credential for use in future privacy-protected
logins.
3.4.1 Design Intuitions
It is crucial that each producer performs its own OAuth authenti-
cation and receives its own OAuth token. A strawman design uses
only one OAuth workflow with a single OAuth token and forwards
this token to each of the credential producers. The problem with
this is that each credential producer can forward the token to other
producers to impersonate the user. Having separate OAuth work-
flows for each producer protects against this.
While security requires each of multiple credential producers to
verify one or more of the user’s federated identities, we do not
wish to subject the human user to a tedious process of typing pass-
words into many federated identity provider login dialogs in suc-
cession. The Crypto-Book client hides the multiple-independent-
authentications from the human user, on the client side using a
Figure 2: Client collects credentials from multiple credential pro- Chrome plugin.
ducers. Crypto-Book credential producers support multiple cryptographic
credentials, requiring only that the credential be adaptable to a
(t, n)-threshold cryptosystem; any set of at least t honest producers
or non-profit organizations each deploying a cluster of the creden- must be able to produce a valid credential which will be accepted
tial producer servers, as either a for-profit or donation-funded com- by any honest credential consumer, while any set of fewer than t
munity service.This assumption on servers has been demonstrated producers must not be able to produce such a credential.
to be reasonable in practice [16, 41]. These servers can support
various credential schemes (shown in §4 and §5), enabling Crypto- 3.5 Credential Consumers
Book to satisfy different users’ privacy expectations in practice. Credential consumers map cryptographic credentials to crypto-
To obtain cryptographic credentials, a Crypto-Book client con- graphic pseudonyms that can then be used to authenticate with
tacts a threshold t of the n credential producers, each of which third-party applications. The cryptographic pseudonyms produced
independently authenticates the user with respect to one or more by credential consumers are unlinkable to the actual federated iden-
federated identity providers. This process is outlined in Figure 2, tities from which they are derived. Credential consumers typically
and proceeds as the following three steps. We note that credential take one of two forms: OAuth provider or application-embedded
production is performed only once for each third-party appli- consumer.
cation that a client wishes to access, not on every authentica-
OAuth provider consumer. OAuth provider consumers operate
tion.
externally to third-party applications. They map cryptographic cre-
Step 1. Each credential producer prompts the user to perform a dentials to anonymous identities and then expose those identities to
non-anonymous OAuth federated authentication with each of the third-party applications via the OAuth protocol. Applications in-
federated identity providers (e.g., Facebook and PayPal). Each cre- teract with OAuth provider consumers just as they would directly
dential producer then redirects the client to the federated identity with conventional federated identity providers. Third-party appli-
provider’s login page for authentication. Upon successful authen- cations already using federated authentication require little modi-
tication, the client receives a unique OAuth token corresponding to fication to support OAuth provider credential consumers; such in-
the specific federated identity provider and identity. tegration, however, requires that the application trust the OAuth
Step 2. The client sends these tokens to the producer who ini- provider. There is nothing, however, preventing a third-party ap-
tiated that authentication. With these tokens, the corresponding plication from running its own OAuth provider consumer, inde-
credential producers can access and validate the user’s profile in- pendent of the application but still under the same administrative
formation. Credential producers request only the minimum access domain.
necessary to verify that the identity is valid. Each credential pro- Application-embedded consumer. An application-embedded cre-
ducer verifies via federated identity provider’s profile-access API dential consumer exists directly within a third-party application,
(e.g., the Facebook API) that the federated identity for which the either via an imported library or a custom implementation of the
OAuth token was obtained corresponds to the federated identity consumer. Using this approach the application need not trust an
4
external provider, but at the cost of ease of integration with existing 4.2 Producing At-Large Credentials
authentication mechanisms. To produce an at-large credential, clients and credential produc-
ers play the requester and signer roles, respectively, in the blind
4. AT-LARGE CREDENTIAL SCHEME signatures signing process (§4.1).
This section presents the first of two concrete credential schemes In practice, we assume that each credential consumer has a unique,
we have built on top of Crypto-Book. The at-large credential scheme publicly known identity, analogous to the application identity in the
does not explicitly constrain the anonymity set of a user, but instead OAuth protocol. For a given consumer, we refer to this identity as
represents that the user has been verified as the owner of some fed- idc . In order to prevent replay attacks in which one credential con-
erated identity. The anonymity set for each at-large credential is sumer can use a client’s successful login to impersonate the client at
then implicitly all users who have ever collected a credential in the another consumer, at-large credentials are bound to a specfic con-
time period before the credential was used. Credential producers sumer.
enforce the accountability of at-large credentials by restricting the Initialization & blinding phases. To produce an at-large creden-
number of credentials they produce for a given federated identity tial, a client first chooses a value r to serve as the credential’s
within a period of time (i.e. rate-limiting). We then extend at-large unique identifier. The value r must be kept secret and should be
credentials to optionally include credential attributes, such as “age uniquely chosen for each at-large credential a client obtains. The
over 18” or “identity active for at least one year”, which are also client binds the identifier to a specific consumer to obtain the mes-
verified with the identity provider at the time of credential produc- sage m = H(r, idc ) and requests a blind signature on m from at
tion. least t of the n credential producers, uniquely blinding the mes-
sage m for each of the requests. In this way, the producers learn
4.1 Building Block: Blind Signatures neither the credential identifier nor the identity of the consumer the
The blind signature [1, 9, 37] is a cryptographic primitive, where credential is for.
a requester can request a signer to sign one or more messages, Signing & unblinding phases. Upon receiving a signature request,
while the signer cannot learn the signed message’s content. Given a credential producer must first verify the requesting client’s feder-
the message-signature pair, a public verifier is able to verify the ated identity with the appropriate provider(s) (e.g. Facebook and
legitimacy of the signature. In our architecture, the client is the PayPal). If verification succeeds, the producer then checks any
requester, each credential producer is a signer and the credential rate-limit restrictions for the federated identity. If the limit has not
consumer is a verifier (of multiple signatures). In our work we use been exceeded, the producer reponds with a blinded signature s′i
the blind signature scheme proposed by Shen et al. [37] which we on (blinded) message m. The client waits for successful responses
outline below in the context of our system. The process involves from at least t of the n credential producers and unblinds the signa-
the following five phases. tures to obtain vector s1 , s2 , . . . , st . This vector serves an at-large
Initialization phase: The credential producer chooses a large prime credential with identifier r, valid for the credential consumer with
p and α as a primitive root modulo p. In addition, the producer ran- identity idc .
domly chooses a number x (2 < x < (p − 2)) and then computes
y = αx mod p. The producer publishes (y, α, p) as the public 4.3 Consuming At-Large Credentials
key, keeps x as the private key, and chooses a one-way hash func- Credential consumers can specify which at-large credentials they
tion h(g) such as SHA-1. accept based on the threshold of the credential, dictating the num-
Blinding phase (client and credential producer): The client has ber of signatures required. To authenticate with a credential con-
a message m and wants to have it signed by the producer. First, sumer with identity idc and requiring a threshold t at-large creden-
the client sends a request to the producer for signing the message tial, a client must provide the credential consumer with a credential
m. The producer then randomly chooses a number k̃, such that identifier r along with a vector s1 , s2 , . . . , st of signatures from
gcd(k̃, φ(p)) = 1. The producer computes r̃ = αk̃ mod p. After at least t unique credential producers. The consumer first hashes
computing r̃, the producer sends r̃ to the client. When the client the provided credential identifier with its own identity to reproduce
receives r̃ from the producer, the client randomly chooses the set message m = H(r, idc ) and then uses the public keys of the cre-
of values (a, b, c), so that parameters (a, b, c) are relatively prime dential producers to verify that each of the provided signatures is, in
to the value φ(p). The client then computes r = r̃a y b αc mod p fact, a valid signature on message m. If at least t signatures verify,
and the hash value h(m) generated by the hash function h(g). The the consumer authenticates the client using an anonymous identity
client then blinds m with the equation m̃ = a−1 (c + m + r) − r̃ derived (using a deterministic, one-way function) from credential
mod φ(p). After that, the client sends m̃ to the signer. identifier r.
Signing phase (producer): When receiving the value m̃, the pro- 4.4 Credential Attributes
ducer computes s̃ = (k̃ + (m̃ + r̃))x−1 mod φ(p). The producer
then sends the value s̃ to the client. Credential attributes allow credential consumers to enforce gen-
eral restrictions on the at-large credentials they accept. For exam-
Unblinding phase (client): After receiving s̃ from the producer, ple, some credential consumers may require that all users be at least
the client computes s = as̃+b mod φ(p) and obtains the message- 18 years of age. Credential attributes can also be used to provide a
signature (m, r, s). The client can then send the message-signature higher barrier to entry by requiring, for example, that a Facebook
pair (m, r, s) to the credential consumer. identity has been active for at least one year.
Verifying phase (credential consumer): When the consumer re- The at-large credential scheme supports credential attributes by
ceives the message-signature pair (m, r, s), the verifier can use the using partially blind signatures. Partially blind signatures [1] are a
one-way hash function h(g) and the public key (y, α, p) to ver- modification to blind signatures in which part of the message, the
ify the legitimacy of the signature by checking V1 = V2 so that, info tag, remains visible to the signer. This allows the signer and
V1 = y s mod p and V2 = rαr+h(m) mod p. If V1 = V2 , then verifiers to share additional information about the context of the
the verification passes; else the verification fails. blind signature.
5
Clients bind attributes to at-large credentials by including each the client to pick up a single credential and then “re-blind” it for
desired attribute in the info tag of their signing requests. Each cre- use across multiple sites while maintaining cryptographic unlink-
dential producer then additionally verifies all of the attributes with ability and abuse-resistance. Since Crypto-Book’s immediate goal
the federated identity provider and produces a signature only if all is not to find the “ultimate” cryptographic credential scheme but
check out. Credential consumers enforce credential attributes by to fit cryptographic credentials (of any kind) into a usable OAuth-
ensuring that each signature presented by the client contains all re- compatible architecture, we leave more advanced at-large creden-
quired attributes in the info tag. An inherent restriction on cre- tial schemes to future work.
dential attributes is that they must be verifiable with the federated
identity provider.
5. GROUP CREDENTIAL SCHEME
4.5 Rate-Limits via Attributes In this section, we plug another credential scheme, group cre-
Credential attributes additionally allow for finer control over the dential scheme, into our Crypto-Book architecture.
rate-limits imposed on at-large credential production. Rather than As an alternative to at-large credentials, in which anonymity sets
relying on producers to choose a proper default rate for all applica- form implicitly, group credentials allow an individual to authen-
tions (e.g. x credentials per identity per week), clients can instead ticate explicitly as some member of a larger, well-defined set of
specify a time interval (e.g. 3 days) with each credential request; users. We describe a group credential scheme construction based
only if the producer has not already issued the federated identity on linkable ring signatures in this section.
an at-large credential during the preceding interval does produc-
tion succeed. As credential attributes are accessible by credential 5.1 Building Block: Ring Signatures
consumers, a consumer can inspect the interval associated with Ring signatures [35] rely on group signatures [10] and allow
each credential and in turn elect to accept only those credentials third-parties to verify that a message was signed by one of a well-
satisfying criteria the consumer itself defines. Some consumers defined set of private keys, but do not reveal which specific key.
may accept 1-hour credentials while other, more abuse-conscious Ring signatures are particularly useful for associating properties of
consumers may require 1-month credentials, allowing consumers a group as a whole, such as credibility in our CB-Drop example,
themselves to determine the degree of accountability they wish to with the signed message. Liu et al. propose linkable ring signa-
enforce. tures (LRS) [26]. LRS is an extended version of ring signatures
with the additional property of linkability – for any two linkable
4.6 Security/Privacy Properties ring signatures, a third party can determine whether or not the two
The at-large credential scheme is designed to provide the follow- signatures were produced using the same private key by comparing
ing properties, which correspond to our privacy goals: the linkage tag properties of the signatures. We use the linkability
• Anonymity During credential production, the producers learn property to add accountability to anonymous credentials. The LRS
the user’s federated identity, but not the anonymous identity de- process consists of four phases.
rived from the credential. During credential consumption, the Initialization phase (credential producer and client): Let G =
third-party applications only learn the credential, but not the hgi be a group of large prime order q. Let H1 : {0, 1}⋆ → Zq and
user’s federated identity. Only the user herself knows both pieces H2 : {0, 1}⋆ → G be independent hash functions. Each member
needed to complete the mapping between identities. (e.g. Facebook profile) i (i = 1, ..., n) has a distinct public key
• Unlinkability For any two at-large credentials, neither creden- yi , and private key xi (assigned by the credential producers) so
tial producers nor consumers can determine whether they corre- that yi = g xi . Let L = {y1 , ..., yn } be the list of n public keys
spond to the same federated identity. (assigned to federated identities by producers).
• Accountability Each at-large credential is bound to a unique Signature generation phase (client): Given the list of public keys
identifier. If a user misbehaves, the credential with which the L, which the client collects from the producers, the client first uses
user authenticated can be blacklisted by the consumer, effec- her private key xπ , which corresponds to her public yπ (1 ≤ π ≤
tively banning the user just as with any non-anonymous identity. n), to compute h = H2 (L) and ỹ = hxπ . Then, she picks u ∈
Producers provide abuse resistance by limiting the rate at which Zq and computes ci+1 = H1 (L, ỹ, m, g u , hu ), where m is the
new credentials are assigned to each federated identity. message the client wants to sign with an LRS. Next, for
i = π +1, ..., n, 1, ..., π −1, the client picks si ∈ Zq and computes
• Unforgability Each at-large credential requires a signature from
ci+1 = H1 (L, ỹ, m, g si yici , hsi ỹ ci ). Finally, the client computes
t of the n credential producers; no colluding group including
sπ = u−xπ cπ mod q. The LRS for the message m is σL (m) =
fewer than t dishonest producers can produce a forged credential
(c1 , s1 , ..., sn , ỹ).
that will be accepted by an honest consumer.
We provide a security analysis of how Crypto-Book provides Verification phase (credential consumer): Suppose a credential
these properties and which attacks it does and does not protect consumer receives a message m signed by σL (m) = (c1 , s1 , ..., sn , ỹ)
against in our technical report [8]. and the consumer knows the public key list L (obtained from the
producers), the consumer first computes h = H2 (L). For i =
4.7 Discussions 1, ..., n, the consumer computes zi′ = g si yici and zi′′ = hsi ỹ ci and
Crypto-Book’s current at-large credential scheme requires the then ci+1 = H1 (L, ỹ, m, zi′ , zi′′ ) if i 6= n. Finally, the consumer
client to obtain a separate blind signature for each third-party ap- checks if c1 = H1 (L, ỹ, m, zn′ , zn′′ ). If so, the consumer accepts
plication or site the user wishes to visit for the first time, to pro- the signature and the client is authenticated; otherwise authentica-
tect the user from being linked across applications. This limitation tion fails.
may be an inconvenience, especially if Crypto-Book’s rate-limits Linkability checking (credential consumer): Given two signa-
′
interfere with a user’s legitimate attempts to explore several third- tures σL (m′ ) = (c′1 , s′1 , ..., s′n , ỹ ′ ) and
′′
party sites in a short time period. Adopting a more sophisticated σL (m′′ ) = (c′′1 , s′′1 , ..., s′′n , ỹ ′′ ) corresponding to messages m′ and
cryptographic credential scheme such as BLAC [4,38] might allow m′′ , the consumer can check whether the two signatures are from
6
the same signer by checking if y˜′ = ỹ ′′ . This allows the consumer creating a new account if this was the first authentication for the
to maintain a consistent pseudonym for each client. given tag.
7
In order to maintain the convenience users have come to ex- 20
Application authorization
pect of federated authentication, we have implemented a web-based Facebook authentication
Crypto-Book client, named CB-Login. CB-Login combines an 15
application-embedded consumer with a Google Chrome extension
Time (s)
to offer a one-click login experience akin to a privacy-preserving 10
“Login with Facebook”. The Chrome extension retrieves and man-
ages group credentials and generates linkable signatures in the web 5
browser, uploading the signatures to the CB-Login consumer. The
consumer verifies the signatures and produces anonymous identi- 0
1 2 3 4 5 6 7 8 9 10
ties based on the linkage tags of the signatures. CB-Login requires Credential Producers
no more user interaction than a traditional federated authentication.
Figure 3: Facebook application authorization
6.1 Applications
We have implemented three applications on top of the Crypto- Key Parameters Signature Size (Bytes)
Book architecture: CB-Wiki, CB-Dissent and CB-Drop, concretiz- (1024,160) 210
ing the motivating use-cases outlined in §2.2. In addition, we also (2048,224) 287
implemented OAuth provider functionality in our client CB-Login (2048,256) 325
to allow other applications to more easily incorporate Crypto-Book (3072,256) 326
as a federated identity provider.
Table 1: Partially blind signature size
CB-Wiki is a Wiki system based on MediaWiki [30] that allows
users to log in as anonymous yet accountable pseudonymous iden-
tities rather than personally identifiable users. This design benefits
• Clients are consumer laptops with 2.4GHz Intel Core i5 proces-
both users, who can edit Wiki pages without disclosing their iden-
sors and 8GB of RAM.
tity, and administrators, as if a user repeatedly vandalizes a page or
conducts other forms of system abuses an administrator can issue • Credential producers are nodes on the geographically distributed
warnings or other sanctions (i.e. banning) just as for any traditional, PlanetLab [11] network. A typical PlanetLab node has a 2.4GHz
non-anonymous user. Intel Xeon processor and 4GB of RAM.
CB-Dissent is a system that combines the Crypto-Book anony- • Credential consumers are commercial shared hosting providers
mous authentication architecture with the Dissent [12, 41] scal- also with 2.4GHz Intel Xeon processors and 16GB of RAM.
able anonymous messaging system. CB-Dissent is an anonymous In selecting experimental key pairs we followed NIST recom-
authentication system that allows users to anonymously request a mendations [33] for DSA keys where the tuple (L, N ) specifies
Dissent session (a set of Dissent servers) to be started and then to the bit-length of the p and q parameters, respectively. If a parame-
anonymously authenticate themselves and connect to that Dissent ter tuple is not specified, it is assumed to be (1024, 160).
group. Unlike in traditional Dissent, in CB-Dissent servers do not
learn the actual identities of the clients connected to them, but only 7.2 Producing Credentials
that the client is a valid Crypto-Book identity. In this section we evaluate the production of credentials in both
CB-Drop builds on SecureDrop [36], an open-source whistleblower the at-large and group credential schemes.
submission system developed by the Freedom of the Press Foun-
dation. SecureDrop allows journalists to accept sensitive docu- 7.2.1 Facebook Application Authorization
ments from anonymous sources via a web interface running as a In both the at-large and group credential schemes a first-time
Tor hidden service. CB-Drop adds credibility to leaks by allowing user must authorize a credential producer’s application with a sup-
a source to anonymously sign a document using a relevant set of ported federated identity provider before retrieving any credentials
Crypto-Book identities before submitting it via SecureDrop. Upon from that producer. We evaluated the time taken to complete this
retrieving the document, a journalist can then verify the signature, step for a varying number of credential producers, with Facebook
increasing confidence in the authenticity of the leak without com- as the federated indentity provider. We used our Chrome extension
promising the source’s anonymity. to automate the authorization process and performed all authoriza-
tions in parallel. Results are presented in Figure 3, drawing dis-
tinction between time spent authenticating with Facebook and time
7. EVALUATION spent authorizing the Crypto-Book application. The times shown
To evaluate the practicality of Crypto-Book we consider both are those of the last credential producer to return. A client only
end-to-end measurements in expected deployment scenarios and ever needs to perform this setup step once, the first time they
microbenchmarks focusing on scalability of specific components. ever use Crypto-Book.
We first describe the experimental setup and then evaluate cre-
dential production and consumption in both proposed credential 7.2.2 At-Large Credentials
schemes. We conclude by evaluating Crypto-Book in the context An at-large credential consists of partially blind signatures from
of our example applications. Evaluations of CB-Drop, as well as t credential producers. As each signature is obtained independently
code modification metrics for CB-Wiki, CB-Dissent and CB-Drop from all others, we focus on time taken to obtain a single signature.
are available in our technical report [8]. As discussed in Section 4, a signature is generated collaborately by
the client and a producer. Network overhead consists of two round
7.1 Experimental Setup trips between producer and client where the second trip is depen-
The experimental setup for the following evaluations include three dent on the size (and hence strength) of the signature. Signature
classes of machines, based on role in the system: sizes for varying signing key sizes are shown in Table 1.
8
0.05 4
Signing (Client) 3.5 Private key
0.04 Signing (Producer) Public key
Verification 3
2.5
Time (s)
Time (s) 0.03
2
0.02 1.5
1
0.01
0.5
0 0
(102 (2 (2 (3 1 2 3 4 5 6 7 8 9 10
4,16 048,22 048,25 072,25
0) 4) 6) 6) Credential Producers
Figure 4: Partially blind signature operations Figure 6: Retrieval of previously generated keys
9
100 100
(3072,256) (3072,256)
10 (2048,256) (2048,256)
(2048,224) (2048,224)
(1024,160) 10 (1024,160)
Size (KB)
Time (s) 1
0.1
1
0.01
0.001 0.1
1 10 100 1000 1 10 100 1000
Ring size Ring size
Figure 7: Linkable ring signature generation Figure 9: Linkable ring signature size
100 100
(3072,256) (3072,256)
10 (2048,256) (2048,256)
(2048,224) 10 (2048,224)
(1024,160) (1024,160)
Time (s)
Time (s)
1
1
0.1
0.1
0.01
0.001 0.01
1 10 100 1000 1 10 100 1000
Ring size Ring size
Figure 8: Linkable ring signature verification Figure 10: CB-Dissent authentication time
7.4 CB-Dissent Authentication towards account checking however still did not consider key assign-
Finally, we evaluated group authentication in our CB-Dissent ment. Opaak [29] is a system that attempts to provide some Sybil
implementation. This experiment measures the time required for resistance through relying on a cellphone as a scare resource. Su-
a client to authenticate with a single Dissent server acting as an doWeb [25] looked at limiting the amount of Facebook information
application-embedded consumer. We again varied the group size disclosed to third party sites but did not consider fully anonymous
between 1 and 1000, presenting the results in Figure 10. For a online IDs.
group size of 100 and 2048-bit keys, authentication again takes un-
der 1 second. While this is a significant overhead compared to tra- 9. CONCLUSIONS
ditional pre-exchanged key authentication, it remains well within We have demonstrated Crypto-Book, a practical and pluggable
practical limits. architecture for providing privacy preserving online identities based
on federated identity providers. As two examples, this paper de-
8. RELATED WORK ploys two different credential schemes into Crypto-Book through
Existing work on anonymous credential systems include BLAC [4, adapting two cryptographic primitives, blind signature and linkable
38] which supports blacklisting of anonymous credentials in cer- ring signature, respectively. The two deployments are capable of
tain situations. There have been a wide variety of other approaches supporting different needs of privacy protection.
to anonymous credential systems including those based on group We have implemented three major applications, CB-Wiki, CB-
signatures [2, 3, 5, 10], dynamic accumulators [6, 7] and Nymble Dissent, and CB-Drop, on top of Crypto-Book and shown them to
systems [22, 23]. have good scalability properties. We believe that Crypto-Book is a
Felt and Evans [18] examine privacy protection in social net- practical way to provide federated identity users with accountable
working APIs. The deployment of public key cryptography over pseudonyms and many applications could be developed on top of
social networks was considered by Narayanan et al. [32] where Crypto-Book.
they considered key exchange over social networks. They consid- There remain a large number of areas for future research based
ered using social networks as a public key infrastructure (PKI), they on our architecture as well as many applications that could be de-
did not implement any applications that use the public keys. veloped on top of Crypto-Book leaving open a wide range of areas
Various schemes have been proposed to protect user data within for investigation building on our results in future work.
an online social network [13, 19, 27, 28], by encrypting the con- Acknowledgments
tent stored within the social network. However these schemes did
not consider the privacy risks involved when a user uses their on- We wish to thank the anonymous CODASPY reviewers as well as
line social networking identity to identify themselves with third Joan Feigenbaum, Ramki Gummadi and Anil Somayaji for their
parties such as logging into other websites using their Facebook valuable feedback. This work is supported in part by NSF grants
credentials. Dey and Weis [14] proposed PseudoID, a similar sys- CNS-1407454 and CNS-1409599.
tem based on blind signatures for privacy protected federated lo-
gin, however their scheme does not handle key assignment as our 10. REFERENCES
work does. A similar blind signature based system was proposed by [1] Masayuki Abe and Tatsuaki Okamoto. Provably secure
Khattak et al. [24]. Watanabe and Miyake [39] made initial efforts partially blind signatures. In 20th CRYPTO, 2000.
10
[2] Giuseppe Ateniese, Jan Camenisch, Marc Joye, and Gene schemes-privacy enhanced & trustworthy approach. Journal
Tsudik. A practical and provably secure coalition-resistant of Advances in Information Technology, 2(2):109–121, 2011.
group signature scheme. In 20th CRYPTO, 2000. [25] Georgios Kontaxis, Michalis Polychronakis, and
[3] Giuseppe Ateniese, Dawn Song, and Gene Tsudik. Evangelos P Markatos. SudoWeb: Minimizing information
Quasi-efficient revocation of group signatures. In 7th FC, disclosure to third parties in single sign-on platforms. In
January 2003. Information Security, pages 197–212. Springer, 2011.
[4] Man H Au, Apu Kapadia, and Willy Susilo. BLACR: [26] Joseph K Liu and Duncan S Wong. Linkable ring signatures:
TTP-free blacklistable anonymous credentials with Security models and new schemes. In ICCSA, May 2005.
reputation. In 19th NDSS, February 2012. [27] Matthew M Lucas and Nikita Borisov. Flybynight:
[5] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group mitigating the privacy risks of social networking. In
signatures. In 24th CRYPTO, 2004. Proceedings of the 7th ACM workshop on Privacy in the
[6] Jan Camenisch and Anna Lysyanskaya. Dynamic electronic society, pages 1–8. ACM, 2008.
accumulators and application to efficient revocation of [28] Wanying Luo, Qi Xie, and Urs Hengartner. Facecloak: An
anonymous credentials. In 22nd CRYPTO, August 2001. architecture for user privacy on social networking sites. In
[7] Jan Camenisch and Anna Lysyanskaya. An efficient system Computational Science and Engineering, 2009. CSE’09.
for non-transferable anonymous credentials with optional International Conference on, volume 3, pages 26–33. IEEE,
anonymity revocation. In EUROCRYPT, May 2001. 2009.
[8] Technical Report: Providing Abuse Resistant Pseudonyms [29] Gabriel Maganis, Elaine Shi, Hao Chen, and Dawn Song.
for Federated Online Identities with Cobra. https://www. Opaak: using mobile phones to limit anonymous identities
dropbox.com/s/c90jn2om7ahlth4/anon-tech-report.pdf?dl=0. online. In Proceedings of the 10th international conference
[9] David Chaum. Blind signatures for untraceable payments. In on Mobile systems, applications, and services, pages
CRYPTO, 1982. 295–308. ACM, 2012.
[10] David Chaum and Eugène Van Heyst. Group signatures. In [30] MediaWiki. http://www.mediawiki.org.
EUROCRYPT, April 1991. [31] Moni Naor. Deniable ring authentication. In 22nd CRYPTO,
[11] Brent Chun, David Culler, Timothy Roscoe, Andy Bavier, August 2002.
Larry Peterson, Mike Wawrzoniak, and Mic Bowman. [32] Arvind Narayanan, Narendran Thiagarajan, Mugdha
Planetlab: an overlay testbed for broad-coverage services. Lakhani, Michael Hamburg, and Dan Boneh. Location
ACM SIGCOMM Computer Communication Review, privacy via private proximity testing. In Proc. of NDSS,
33(3):3–12, 2003. volume 2011, 2011.
[12] Henry Corrigan-Gibbs and Bryan Ford. Dissent: accountable [33] The FIPS 186-4 Digital Signature Algorithm Validation
anonymous group messaging. In 17th CCS, October 2010. System. http://csrc.nist.gov/groups/STM/cavp/documents/
[13] Leucio Antonio Cutillo, Refik Molva, and Thorsten Strufe. dss2/dsa2vs.pdf.
Safebook: A privacy-preserving online social network [34] David Recordon and Drummond Reed. OpenID 2.0: A
leveraging on real-life trust. Communications Magazine, platform for user-centric identity management. In
IEEE, 47(12):94–101, 2009. Proceedings of the second ACM workshop on Digital identity
[14] Arkajit Dey and Stephen Weis. Pseudoid: Enhancing privacy management. ACM, 2006.
in federated login. Hot topics in privacy enhancing [35] Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to
technologies, pages 95–107, 2010. leak a secret. In 7th ASIACRYPT, December 2001.
[15] Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk. [36] SecureDrop. https://pressfreedomfoundation.org/
Deniable authentication and key exchange. In CCS, 2006. securedrop/.
[16] Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: [37] Victor R. L. Shen, Yu fang Chung, Tzer Shyong Chen, and
the second-generation onion router. In 13th USENIX Security Yu An Lin. A blind signature based on discrete logarithm
Symposium, August 2004. problem. ICIC, 7(9), September 2011.
[17] John R. Douceur. The Sybil attack. In 1st IPTPS, March [38] Patrick P Tsang, Man Ho Au, Apu Kapadia, and Sean W
2002. Smith. Blacklistable anonymous credentials: Blocking
[18] Adrienne Felt and David Evans. Privacy protection for social misbehaving users without TTPs. In 14th CCS, October
networking APIs. W2SP, 2008. 2007.
[19] Saikat Guha, Kevin Tang, and Paul Francis. Noyb: Privacy in [39] Ryu Watanabe and Yutaka Miyake. Account management
online social networks. In WOSN, 2008. method with blind signature scheme. Engineering and
[20] E. Hammer-Lahav. The OAuth 1.0 protocol, April 2010. Technology, World of Science, (59):2069–2073, 2011.
RFC 5849. [40] Alma Whitten and J. Doug Tygar. Why johnny can’t encrypt:
[21] Ed Hardt. The OAuth 2.0 authorization framework, October A usability evaluation of PGP 5.0. In Proceedings of the 8th
2012. RFC 6749. USENIX Security Symposium, August 1999.
[22] Ryan Henry, Kevin Henry, and Ian Goldberg. Making a [41] David Isaac Wolinsky, Henry Corrigan-Gibbs, Aaron
nymbler nymble using verbs. In PETS, 2010. Johnson, and Bryan Ford. Dissent in numbers: Making
[23] Peter C Johnson, Apu Kapadia, Patrick P Tsang, and Sean W strong anonymity scale. In 10th OSDI, October 2012.
Smith. Nymble: Anonymous IP-address blocking. In PETS,
2007.
[24] Zubair Ahmad Khattak, Jamalul-lail Ab Manan, Suziah
Sulaiman, et al. Analysis of open environment sign-in
11